switch OS6860E-P24 blocks communication with AP

[alefran]

Hello everyone,

I have two switches OS6860E-P24 (chassis ID 1) and OS6860E-P48 (chassis ID 2).

On ports 1 to 6 of OS6860E-P24 I have after Aruba IAP 205 connected in POE, with 4 vlans tag on each port.
These ports block direct communication with the AP and from the AP to the internet (one of the vlans uses Radius authentication out of the AP).

OS6860E-P24 (chassis ID 1) on the other ports I have computers and IP phones that work normally.

The APs connected to the OS6860E-P48 switch work normally.

I already tried the command show log swlog | grep 1/1/6 has no alarms.

Any suggestions on how to resolve?

[Gleylancer]

Please post:
- Switch configuration
- Purpose of the 4 mentioned VLANs.
- How you found out that something is being blocked here. Spanning tree?

[alefran]

file vcboot.cfg

!========================================!
! File: /flash/working/vcboot.cfg !
!========================================!
! Chassis:
system name "xx-xxx"

! Configuration:
configuration error-file-limit 2

! Capability Manager:
! Virtual Flow Control:
! LFP:
! Interface:
! Port_Manager:
! Link Aggregate:
! VLAN:
vlan 1-2 admin-state enable
vlan 2 name "xxxxx"
vlan 10 admin-state enable
vlan 10 name "xxxxx"
vlan 30 admin-state enable
vlan 30 name "xxxxx"
vlan 50 admin-state enable
vlan 50 name "xxxxx"
vlan 60-61 admin-state enable
vlan 60 name "xxxxx"
vlan 61 name "xxxxx"
vlan 105 admin-state enable
vlan 105 name "xxxxx"
vlan 115 admin-state enable
vlan 115 name "eduroam"
spb bvlan 4000-4015 admin-state enable
spb bvlan 4000-4015 name "AutoFabric 1/1/1970 03:45:02"
vlan 10 members port 1/1/7-10 untagged
vlan 10 members port 1/1/12 untagged
vlan 10 members port 1/1/15-22 untagged
vlan 10 members port 2/1/1-2 untagged
vlan 10 members port 2/1/9-24 untagged
vlan 10 members port 2/1/31-48 untagged
vlan 105 members port 1/1/1-6 untagged
vlan 105 members port 1/1/23-24 untagged
vlan 2 members port 1/1/11 tagged
vlan 2 members port 1/1/13-14 tagged
vlan 2 members port 1/1/25-28 tagged
vlan 2 members port 2/1/49-52 tagged
vlan 10 members port 1/1/1-6 tagged
vlan 10 members port 1/1/11 tagged
vlan 10 members port 1/1/13-14 tagged
vlan 10 members port 1/1/25-28 tagged
vlan 10 members port 2/1/3-8 tagged
vlan 10 members port 2/1/25-30 tagged
vlan 10 members port 2/1/49-52 tagged
vlan 30 members port 1/1/11 tagged
vlan 30 members port 1/1/13-14 tagged
vlan 30 members port 1/1/25-28 tagged
vlan 30 members port 2/1/49-52 tagged
vlan 50 members port 1/1/7-28 tagged
vlan 50 members port 2/1/1-24 tagged
vlan 50 members port 2/1/31-52 tagged
vlan 60 members port 1/1/1-6 tagged
vlan 60 members port 1/1/11 tagged
vlan 60 members port 1/1/13-14 tagged
vlan 60 members port 1/1/25-28 tagged
vlan 60 members port 2/1/3-8 tagged
vlan 60 members port 2/1/25-30 tagged
vlan 60 members port 2/1/49-52 tagged
vlan 61 members port 1/1/1-6 tagged
vlan 61 members port 1/1/11 tagged
vlan 61 members port 1/1/13-14 tagged
vlan 61 members port 1/1/25-28 tagged
vlan 61 members port 2/1/3-8 tagged
vlan 61 members port 2/1/25-30 tagged
vlan 61 members port 2/1/49-52 tagged
vlan 105 members port 1/1/11 tagged
vlan 105 members port 1/1/13-14 tagged
vlan 105 members port 1/1/25-28 tagged
vlan 105 members port 2/1/3-8 tagged
vlan 105 members port 2/1/25-30 tagged
vlan 105 members port 2/1/49-52 tagged
vlan 115 members port 1/1/1-6 tagged
vlan 115 members port 1/1/11 tagged
vlan 115 members port 1/1/13-14 tagged
vlan 115 members port 1/1/25-28 tagged
vlan 115 members port 2/1/3-8 tagged
vlan 115 members port 2/1/25-30 tagged
vlan 115 members port 2/1/49-52 tagged

! PVLAN:
! Spanning Tree:
spantree mode flat
spantree vlan 1 admin-state disable
spantree vlan 2 admin-state disable
spantree vlan 10 admin-state disable
spantree vlan 30 admin-state disable
spantree vlan 50 admin-state disable
spantree vlan 60 admin-state disable
spantree vlan 61 admin-state disable
spantree vlan 105 admin-state disable
spantree vlan 115 admin-state disable
spantree vlan 4000 admin-state disable
spantree vlan 4001 admin-state disable
spantree vlan 4002 admin-state disable
spantree vlan 4003 admin-state disable
spantree vlan 4004 admin-state disable
spantree vlan 4005 admin-state disable
spantree vlan 4006 admin-state disable
spantree vlan 4007 admin-state disable
spantree vlan 4008 admin-state disable
spantree vlan 4009 admin-state disable
spantree vlan 4010 admin-state disable
spantree vlan 4011 admin-state disable
spantree vlan 4012 admin-state disable
spantree vlan 4013 admin-state disable
spantree vlan 4014 admin-state disable
spantree vlan 4015 admin-state disable

! DA-UNP:
! Bridging:
! Port Mirroring:
! Port Mapping:
! IP:
ip interface "v105" address xxx.xxx.xxx.xxx mask 255.255.254.0 vlan 105 ifindex 1

! IPv6:
! IPSec:
! IPMS:
! AAA:
aaa authentication console "local"
aaa authentication telnet "local"
aaa authentication ftp "local"
aaa authentication http "local"
aaa authentication ssh "local"

aaa tacacs command-authorization disable

! NTP:
ntp server clock0.ovcirrus.com
ntp server clock2.ovcirrus.com
ntp server clock1.ovcirrus.com
ntp server clock3.ovcirrus.com
ntp client admin-state enable

! QOS:
! Policy Manager:
! VLAN Stacking:
! ERP:
! MVRP:
mvrp enable

! LLDP:
! UDLD:
! Server Load Balance:
! High Availability Vlan:
! Session Manager:
! Web:
! Trap Manager:
! Health Monitor:
health threshold memory 80

! System Service:
! SNMP:
! BFD:
! IP Route Manager:
! VRRP:
! UDP Relay:
! RIP:
! OSPF:
! IP Multicast:
! DVMRP:
! IPMR:
! RIPng:
! OSPF3:
! BGP:
! ISIS:
! Module:
! LAN Power:
lanpower slot 1/1 service start
lanpower slot 2/1 service start
lanpower port 2/1/1-24 admin-state disable
lanpower port 2/1/31-48 admin-state disable

! RDP:
! DHL:
! Ethernet-OAM:
! SAA:
! SPB-ISIS:
spb isis bvlan 4000 ect-id 1
spb isis bvlan 4001 ect-id 2
spb isis bvlan 4002 ect-id 3
spb isis bvlan 4003 ect-id 4
spb isis bvlan 4004 ect-id 5
spb isis bvlan 4005 ect-id 6
spb isis bvlan 4006 ect-id 7
spb isis bvlan 4007 ect-id 8
spb isis bvlan 4008 ect-id 9
spb isis bvlan 4009 ect-id 10
spb isis bvlan 4010 ect-id 11
spb isis bvlan 4011 ect-id 12
spb isis bvlan 4012 ect-id 13
spb isis bvlan 4013 ect-id 14
spb isis bvlan 4014 ect-id 15
spb isis bvlan 4015 ect-id 16
spb isis control-bvlan 4000
spb isis interface port 1/1/25-26
spb isis admin-state enable

! SVCMGR:
service stats disable

! LDP:
! EVB:
! APP-FINGERPRINT:
! FCOE:
! QMR:
! OPENFLOW:
! Dynamic auto-fabric:
auto-fabric admin-state enable

! SIP Snooping:
! DHCP Server:
! DHCPv6 Relay:
! DHCPv6 Snooping:
! DHCPv6 Server:
! DHCP Message Service:
! DHCP Active Lease Service:
! Virtual Chassis Split Protection:
! DHCP Snooping:
! APP-MONITORING:
app-mon separate-config-file

! Loopback Detection:
! VM-SNOOPING:
! PPPOE-IA:
! Security:
! Zero Configuration:
! MAC Security:
! OVC:
! EFM-OAM:
! ALARM-MANAGER:
! DEVICE-PROFILE:
! PTP:
! IP DHCP RELAY:
! TEST-OAM:
! LOOPBACK TEST:
! UDP6 RELAY:
! MGMT AGENT:
! MRP:
! PKGMGR:

[alefran]

One of the vlans uses eduroam org. The other vlans are opened with captive portal.

I've tried with Spantree enabled and disabled in both cases the operation was the same.

The Aruba AP becomes unresponsive to PING, SNMP and HTTPS. Users who connect to the various AP are unable to authenticate in the eduroam radius or have impaired navigation, appearing to be a DNS failure.

command output: show log swlog | grep 1/1/6
no result

ping on AP Aruba port 1/1/6 (sw OS6860E-P24)
no answer

ping on AP Aruba port 2/1/25 (sw OS6860E-P48)
Response from XXX.XXX.X.XX: bytes=32 time=3ms TTL=64


thank you for your support

[Gleylancer]

One difference I see right off the bat is that 1/1/1 - 1/1/6 have default VLAN 105, while your AP on Port 2/1/25 does not.

"show vlan members" is a good way of comparing this. Since a full output can get big fast, it can be limited to ports, and I would suggest comparing the ports directly:
show vlan members port 1/1/1
show vlan members port 2/1/25

A default VLAN is usually used to configure a Lightweight Access Point before it goes live. Your AP on 2/1/25 does not have one, so it is in default VLAN 1 while the others are in 105, probably waiting for their configuration.

[alefran]

before
-> sh vlan members port 1/1/1
vlan type status
--------+-----------+---------------
10 qtagged forwarding
60 qtagged forwarding
61 qtagged forwarding
105 default forwarding
115 qtagged forwarding

after
-> sh vlan members port 1/1/1
vlan type status
--------+-----------+---------------
1 default forwarding
10 qtagged forwarding
60 qtagged forwarding
61 qtagged forwarding
105 qtagged forwarding
115 qtagged forwarding

I'm testing and probably solved it with this configuration.

Thank you very much for the support

[Gleylancer]

Just a heads up, using vlan 1 as a vlan for configuration deployment is a very bad idea and will result in future messes.